Always glad to help a student who wants to learn! Let me offer a general comment that may be useful in many situations: Try not to get so buried in coding details that you lose sight of the actual objectives--for security matters, always ask yourself exactly what you are trying to protect against before you even begin to determine what kind of code you will use. For example, are you trying to protect against someone making a deliberate attempt to gain access to a particular user's account? Or maybe an attack that might allow a hacker to gain access to your database, thereby capturing ALL of the user passwords and other user data? Or gaining access to the server's control system, or even destroying data on the server, etc. etc. You might think, "Sure, ALL of those!", but you need to consider all those possibilities, and then evaluate your preliminary choices for methods to see whether they would be effective against the specific threats that you are trying to protect against. "Security" isn't just one big basket, it's a careful consideration of each and every potential threat, and most of those require different strategies to protect against. Passwords are only one part of security and do not protect against Denial of Service attacks, for example. Just some thoughts for you to consider.

@Celauran interesting idea; i was struggling with the idea of how to get a password (a new one) to the user but this seems like it could work in a system where there isn't an option to email. Something i would add to this is time limited option where a user would have x amount of time to change their password before the temporary password expires

You can't unhash. That's the whole point of hashes. If you want to allow the user to change their password, have three fields: existing, new, new repeated. When the form is submitted, hash the existing password and compare it against what's in the database, then compare the new and new repeated fields. If both tests pass, update the password with the hash of the new password.

Managed to register a user. I can see the user in the database and the hashed passcode but I am not able to log in. The only changes I have made are the db connection details. I havent touched the PasswordHash.php file. When I try to login I get the "login failed" message.

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum